Forum Widgets
Latest Discussions
Nested App Authentication (NAA) token to protect middle-tier server
I'm working on an outlook addin and want to use the NAA accesstoken to validate the user on an api running on a php webserver. The addin runs as a taskepane (created with yo office) with the app only manifest. I have setup NAA to do Microsoft graph calls on behalf of the user. I have used this guid to setup NAA (copy/past) https://learn.microsoft.com/en-us/office/dev/add-ins/develop/enable-nested-app-authentication-in-your-add-in I have setup a php server (not in Microsoft infrastruktur) for a simple API, that handlers MySQL calls and app only calls to Microsoft graph. The php api authenticate itself with a client secret from the Azure app registration. Both are working as expected. Can i use the accesstoken from the NAA, to authenticate the user on the php server? If it can be done how do I validate the token?
Conditional Access enforces MFA but Service Account still ask to secure account
Hi, I've setup Conditional Access policies to enforce MFA. But it excludes a group for service accounts. Whenever we login to a Service Account, they all ask to secure your account. Hit next > It says no MFA options are available > Skip. Both our own MFA conditional access policy and MS per-user conditional access policy excludes this group. The Legacy per-user authentication policy has all accounts disabled there in favour of the conditional access policy. We must be missing something here. Some of these are shared inboxes, others regular user accounts. Many of these services requires login through the typical Microsoft sign in screen to authorize access. Some does not support OpenID. So how do I 100% exclude service accounts from MFA? And how do I get rid of this popup to secure these accounts when it says no MFA options are available? TIA
Azure AD Health Failing
I am on the latest version of Azure AD Connect (2.5.79.0)... There are no network/DNS/connectivity issues at our site, it seems to me that Azure AD Health Service is having trouble because the endpoint is experiencing a service issue.. Is anyone else having the same problem with failure alerts/etc? I checked by running "Test-MicrosoftEntraConnectHealthConnectivity -Role SYNC" command, the stack trace throws an undocumented error number and complains of rate limiting issues... smells like the server is being overwhelmed or there are other issues slowing down the endpoint/service with the consequence that connections are piling up causing this error: Connectivity Test Step 1 of 2: Testing dependent service endpoints begins ... AAD CDN connectivity is skipped. Connecting to endpoint https://login.microsoftonline.com Endpoint validation for https://login.microsoftonline.com is Successful. Connecting to endpoint https://s1.adhybridhealth.azure.com/providers/Microsoft.ADHybridHealthService/diagnostics/version Endpoint validation for https://s1.adhybridhealth.azure.com/providers/Microsoft.ADHybridHealthService/diagnostics/version is Successful. Connectivity Test Step 1 of 2 - Testing dependent service endpoints completed successfully. Connectivity Test Step 2 of 2 - EventHub data upload procedure begins ... Tenant Id is successfully collected during agent registration. Server rejected Eventhub data upload, here is the exception: Microsoft.ServiceBus.Messaging.ServerBusyException: The request was terminated because the entity is being throttled. Error code : 50002. Sub error : 101. Please wait 4 seconds and try again. To know more visit https://aka.ms/sbResourceMgrExceptions and https://aka.ms/ServiceBusThrottlingS:N:ADHSPRODWUSEHSYNCIA:EVENTHUB:ADHSPRODWUSEHSYNCIA~22527,CL:30,CC:32,ACC:356250,LUR:WinEnd,LUT:2025-10-08T03:03:12.2035867Z,RC:1 TrackingId:<<< anonymized tracking ID>>> 0, SystemTracker:adhsprodwusehsyncia:eventhub:adhsprodwusehsyncia~22527, Timestamp:2025-10-08T03:03:13 at Microsoft.ServiceBus.Common.ExceptionExtensions.ThrowException(Exception exception) at Microsoft.ServiceBus.Common.AsyncResult.End[TAsyncResult](IAsyncResult result) at Microsoft.ServiceBus.Messaging.EventHubSender.Send(EventData data) at Microsoft.Identity.Health.AgentV1.ConfigurationPowerShell.TestAzureADConnectHealthConnectivity.TestInsightServiceDataUploadProcedure() Azure AD Connect Health agent could not communicate to the Health Service using port 5671. As a result, agent communication will fall back to use port 443, but use of port 5671 is recommended. Please allow outbound communication using port 5671. Tenant Id is successfully collected during agent registration. Server rejected Eventhub data upload, here is the exception: Microsoft.ServiceBus.Messaging.ServerBusyException: The request was terminated because the entity is being throttled. Error code : 50002. Sub error : 101. Please wait 4 seconds and try again. To know more visit https://aka.ms/sbResourceMgrExceptions and https://aka.ms/ServiceBusThrottlingS:N:ADHSPRODWUSEHSYNCIA:EVENTHUB:ADHSPRODWUSEHSYNCIA~22527,CL:30,CC:32,ACC:356837,LUR:IncomingUsage_ADHSPRODWUSEHSYNCIA-5,LUT:2025-10-08T03:03:54.9448143Z,RC:1 TrackingId:<<< anonymized tracking ID>>>, SystemTracker:adhsprodwusehsyncia:eventhub:adhsprodwusehsyncia~22527, Timestamp:2025-10-08T03:04:00 at Microsoft.ServiceBus.Common.ExceptionExtensions.ThrowException(Exception exception) at Microsoft.ServiceBus.Common.AsyncResult.End[TAsyncResult](IAsyncResult result) at Microsoft.ServiceBus.Messaging.EventHubSender.Send(EventData data) at Microsoft.Identity.Health.AgentV1.ConfigurationPowerShell.TestAzureADConnectHealthConnectivity.TestInsightServiceDataUploadProcedure() Azure AD Connect Health agent could not communicate to the Health Service using port 5671. As a result, agent communication will fall back to use port 443, but use of port 5671 is recommended. Please allow outbound communication using port 5671.
Escalation Inquiry: IP Logs Request for MS Account
Hello, I am seeking advice regarding a security issue with my Microsoft account. There were unauthorized login attempts on my account between May 23 and May 25, 2025. I submitted a ticket to Microsoft Privacy / Security Incident Response (SIR) regarding IP activity logs. My ticket was created on August 7, 2025 and escalated to the IP/SIR team on August 11, 2025. Since then, I have sent multiple follow-ups, but no response has been received. I also created a new ticket on September 17, 2025, but only received the automatic acknowledgment; no agent has contacted me. I am concerned because the logs are important for verifying my account security and ensuring no unauthorized access occurred. Could anyone advise typical processing times for IP activity requests or suggest ways to escalate this issue effectively? Thank you in advance for any guidance.
Microsoft Entra Connect sync stopped, request upgrade and library not found
Hello, I have the latest (for our company, present on Entra blade) version of Microsoft Entra Connect Sync: 4 days ago I noticed on Synchronization Service Manager that there is no sync of data; I have started the Microsoft Entra Connect Sync and found a big button with "Upgrade" word; I tried to execute the upgrade but when the it arrives to the Connect to Microsoft Entra ID step, I fill with my global administrator account but found a stop error: An error occured while retrieving the Active Directory schema. The error was: Could not load file or assembly 'file:///C:\Program Files\Microsoft Azure AD Sync\Bin\Microsoft.IdentityModel.Clients.ActiveDirectory.dll' or one of its dependencies. The system cannot find the file specified. and when I click again on Next I have the same request of global administrator user and password and the same error. Now, the library is not present but I verified, in a test tenant where I have a working Entra Connect Sync system, that the files is not present even there (and also when I start Microsoft Connect Entra Sync I haven't the upgrade button there); I also tried to repair the installation, but obviously the file is no there. What can I do? Are there other people with the same issue? Any idea is appreciated.Entra ID’s Keep Me Signed In Feature – Good or Bad?
The Entra ID Keep Me Signed In (KMSI) feature creates persistent authentication cookies to allow users to avoid sign-ins during browser sessions. Is this a good or bad thing and should Microsoft 365 tenants enable or disable KMSI. I think KMSI is fine in certain conditions and explain my logic in this article. Feel free to disagree! https://office365itpros.com/2025/09/17/kmsi-good-or-bad/Profile photo component adds unwanted overlay
Component https://myaccount.microsoft.com Run command: ms-settings:yourinfo Environment Profile picture uploaded through https://myaccount.microsoft.com Profile picture uploaded through Run command (WIN+R): ms-settings:yourinfo Retrieved via Microsoft Graph SDK / Graph REST API endpoint /v1.0/me/photos/$value Steps to Reproduce Go to https://myaccount.microsoft.com. Upload a new profile picture (no presence, badge, or branding requested). Retrieve the profile picture using Microsoft Graph endpoint: GET https://graph.microsoft.com/v1.0/me/photos/$value Render the image in the client application. Expected Result The raw profile photo is shown exactly as stored—no overlays, rings, badges, or branding. Actual Result The component renders an overlay (e.g., presence badge/ring/branding) on top of the photo, altering the image. Impact Users see altered profile photos, leading to inconsistencies with expectations. Breaks brand/UX design guidelines that rely on unmodified profile images. Severity Medium–High (affects identity consistency across apps using Graph). Notes This happens even though no overlay option was requested in either the upload or retrieval flow. Alternative: Steps to Reproduce and working as expected Run command (WIN+R): ms-settings:yourinfo Upload a new profile picture (no presence, badge, or branding requested). Retrieve the profile picture using Microsoft Graph endpoint: GET https://graph.microsoft.com/v1.0/me/photos/$value Render the image in the client application. Expected Result The raw profile photo is shown exactly as stored—no overlays, rings, badges, or branding. Actual Result The raw profile photo is shown exactly as stored—no overlays, rings, badges, or branding.Microsoft’s Effort to Develop a Broad People Platform
Microsoft 365 users see the profile card and might wonder where the information displayed on the card comes from. Entra ID is the obvious source, but the people platform that Microsoft is developing is another and could include information imported through a Copilot connector to build out a complete picture of users and contacts within a Microsoft 365 tenant. It’s early days yet, but beta code is available. https://office365itpros.com/2025/09/10/people-platform/
My Azure login is stuck at MFA and cannot proceed
In August, I was still able to log in to Azure, and by logging in through GitHub I could bypass 2FA. But now, no matter how I try, logging in via GitHub always requires 2FA. I can’t access my Azure account anymore—nothing works. The system prompts me to use Microsoft Authenticator to confirm a two-digit code in real time. My Microsoft Authenticator on my iPhone is logged into the same Microsoft account, but I’m not receiving any verification requests for Azure login. No matter how much I refresh, nothing shows up. I’ve already updated the Microsoft Authenticator app to the latest version from the App Store. However, my personal Microsoft account works fine and can log in without any issues.TAP Question
Hi All I hope you are well. Anyway, I'm looking for some clarification over Temporary Access Passes (TAP) as our testing seems to reveal some different results from those listed in the MS documentation. Here's the scenario's. My understanding: Require MFA policy deployed via Conditional Access New user F3 user starts Issue TAP to user where they can then setup MFA themselves via My Security Info etc Testing results: Require MFA policy deployed via Conditional Access New user F3 user starts User can setup MFA themselves via MS Auth app on a mobile device or via My Security Info in a browser MS TAP Info page: "The most common use for a TAP is for a user to register authentication details during the first sign-in or device setup, without the need to complete extra security prompts." Ref: Configure a Temporary Access Pass in Microsoft Entra ID to register passwordless authentication methods - Microsoft Entra ID | Microsoft Learn Have I missed understood something here and if a new user can indeed still setup MFA is there any real need for a TAP for first time user? Info appreciated. SK
